In an Ethernet local area network (LAN), computers or hosts are attached to the network and each host is uniquely identified by a physical address which is designated a media access control (MAC) address in an Ethernet network. The MAC address of each host is typically hardwired into an Ethernet network interface card in the host. The network interface card in each host transmits and receives Ethernet packets to communicate with the other hosts in the network. Each Ethernet packet includes an address segment including the MAC address of the host to receive the packet (destination MAC address) along with the MAC address of the host sending the packet (source MAC address), and further includes a data segment, as will be understood by those skilled in the art. The MAC address of each host is utilized by Ethernet switches in the network to receive and forward Ethernet packets between hosts. More specifically, a switch receives an Ethernet packet from a source host, examines the destination MAC address portion of the packet to determine where to forward the packet, and forwards the packet to the host corresponding to the destination MAC address.
In many situations, an Ethernet network must communicate with hosts outside the network and in different types of networks. For example, a user of a host in an Ethernet network may want to access various Web sites and Web pages contained on the Internet. To communicate with other types of networks, the host utilizes the Internet Protocol (IP) which allows hosts in many different types of networks to communicate with each other through IP packets. Within the Ethernet network, each host must be assigned an IP address by a network administrator for the purpose of communicating with computers outside the network via the Internet Protocol. Devices known as routers operate to forward IP packets from one network to another utilizing the IP addresses contained in the IP packets being communicated.
A router typically includes an access control list (ACL) to restrict or define the hosts with which a given host is allowed to communicate. For example, in an Ethernet network within a company, the hosts of employees may be restricted from communicating with certain Web sites. In this way, access control lists are utilized as a tool for network security to define or control the hosts and other objects, such as files and directories, with which a given host can communicate. For example, IP packets from a particular IP network or a particular Web site may be restricted from being received by hosts in the Ethernet network. In this situation, the access control list on the router would contain a field indicating that packets from the IP address corresponding to this Web site are to be denied, meaning that any such packets received by the router will not be forward to the intended host in the Ethernet network. IP packets include source and destination IP addresses, with the source IP address corresponding to the IP address of the host that sent the packet and the destination IP address corresponding to the host that is to receive the packet.
In an Ethernet network, there are two ways for a network administrator to assign IP addresses to hosts in the network. First, the network administrator can manually enter an IP address into a configuration file that is stored on each host. With large networks, this approach is typically not practical due to the amount of time it would take to configure all the hosts. As a result, the second approach that may be used is the configuration of a dynamic host configuration protocol (DHCP) server. The DHCP server operates to automatically assign IP addresses to hosts requesting an IP address instead of requiring the network administrator to manually assign such addresses. Typically, the DHCP server has a pool of available IP addresses that are assigned to requesting hosts as needed. When using a DHCP server to automatically assign IP addresses, the IP address for a given Ethernet host can change depending on the available IP addresses in the pool at the time the host requests the IP address. The use of a static ACL on a router to control access for a given Ethernet host does not work when a DHCP server is utilized since the IP address of the host is not static but changes over time. As a result, the static ACL having a set IP address for a given host does not allow the ACL to control access for that host when an IP address assigned to the host by the DHCP server is different than the IP address contained in the ACL.
In an Ethernet network, a user must typically log onto a host in the network to gain access to the network and other host coupled to the network. This is typically done through a centralized authentication server which authenticates the credentials of a particular user. For example, in a Microsoft Windows environment a Windows NT Domain Login is utilized to authenticate the credentials of a user before allowing that user access to the network via his host. A domain defines a group of computers and devices on a network that are administered as a unit with common rules and procedures, and a user provides a Windows NT Domain Login in the form of a user name and password to gain access to or log into the network. Another example is the login procedure utilized where an IEEE 802.11 wireless device wants to communicate with an Ethernet network. In this situation, the wireless device communicates login information to an Ethernet switch that also functions as an access point for the device to access the network, and the switch, in turn, communicates with a remote access and dial-in user service (RADIUS) server to verify the credentials of the user.
In some networks, there is no login procedure and user information is inferred directly from the MAC address of the host. Note that as used herein, the term host includes any type of electronic device that may be coupled to the network, such as a computer system, IP telephone, or personal digital assistant (PDA). For example, if a user “John Doe” has an IP telephone that begins sending Ethernet packets to the Ethernet network, then this IP telephone will be recognized using John Doe's Ethernet MAC address assigned to the telephone. A network administrator must configure the network in advance to define the MAC address for the IP telephone as a valid address within the network. Note that a user may log into the network on a number of different hosts and thus can have multiple MAC and IP addresses that will change as the user logs onto the network through different hosts. In many situations, access to resources within the network would ideally be restricted based upon user information regardless of the host through which the user is attempting to access the network.
In a network that communicates through the IP protocol, hosts are identified not only by their IP address but also by a “domain name” that is utilized instead of the IP address. As will be appreciated by those skilled in the art, a domain name such as “www.hp.com” may be registered with Internet domain name registration authorities to provide a plain English name that is easily remembered and recognized by users. Domain name system (DNS) servers contained in the Internet convert the domain name into a corresponding IP address which allows a host to communicate with a desired host corresponding to that IP address. There may be multiple IP addresses associated with a single domain name, and thus once again the use of a conventional ACL based upon a single IP address will not adequately restrict communication between a source host and destination host unless the ACL includes all such IP addresses. In the following description, the term “DNS name” will be used to refer to the domain name utilized by DNS servers and having an associated IP address, and the term “domain name” will be used to refer to groups of hosts in an Ethernet network that are administered as a unit such as a Windows NT domain name. Although the above examples are described with reference to an Ethernet network, the concepts of principles of the present invention may be applied to other types of networks, as will be appreciated by those skilled in the art.
There is a need for access control lists that allows access of hosts in a computer network such as an Ethernet network to be restricted or controlled based upon user names, MAC addresses, domain names, and DNS names instead of merely IP address information.